CPO as Data Protection Officer?

In May 2019 the General Data Protection Regulation has been implemented in all member countries of the European Community. The GDPR is about how data on EU citizens can be used by companies and organizations. It is also known as the “privacy law." Some big companies like Facebook and Google already faced investigations and/or penalties. The penalties can be as high as 4% of the total turnover worldwide with a maximum of 20 million Euros. Also small companies (SME) will be subject to investigations.

According to GDPR some organization must have a Data Protection Officer. This DPO ensures that the company involved complies with aspects of GDPR. Many companies appoint a DPO on a voluntary basis.

GDPR has many aspects: cultural (does every employee knows the importance of data protection?), technical (are systems designed and implemented with data protection in mind?) and physical (are systems and data adequately protected?). Data breaches are to be reported immediately to the responsible authorities in each country.

Many data breaches, voluntary and involuntary, are caused by humans and human error. Mostly by internal personnel. Social engineering is a commonly used technique by outsiders to lay their hands on organization specific information. E.g. calling internal personnel and asking them questions (pretending to be a software service desk employee) to get passwords and access keys.

“Steeling” data is easier than to steeling gold. The latter requires a (large) logistic operation. Whilst for steeling data the only thing one needs is a small USB stick which can be hidden anywhere (on the body). Or one could simply send (a copy of) the data as an attachment with an email.
In 2015 two Chinese employees at ASML stole the source code of a highly advanced simulation tool. The total damage was 220 million US.
During an important office renovation thieves dressed up like employees from the renovation company entered the building and left with several laptops with valuable data.

A company can not only be damaged by steeling information but also by blocking access to critical data and systems. A widely used technique is sending a lot of information requests in a small period of time to the IT systems of a company. The systems get overloaded and fail (so called distributed denial of service or DDOS attacks). Critical data and information can be protected by physically limiting the number of terminals or computers which can access the data. Those computer and terminals can be put in a room with access by authorized personnel only.

On his evening patrol through the office building the CPO can check PC’s for post-its with passwords. PC’s should be turned off after office hours.
At the reception desk of a company, the CPO should be aware of social engineering, also on the phone. Voice recording is becoming daily practice. Tapes can be used as evidence (like video recordings).

Companies should have a policy for the use of smartphones. Smartphones often have voice recording, photo and video capabilities. Some companies have restricted areas for smartphones. Video and voice recording devices have become very small and cheap. Some of them can transmit the data directly to a receiver outside the company building. CPO’s must know the possibilities of those devices and how to recognize them.

Some companies have dedicated rooms which are checked regularly on spy equipment (audio and video recorders). Anti-spy equipment (detection equipment) is easily available.

Data protection is on the agenda of many CEO’s because of regulatory obligations but certainly because of economic reasons. I’m convinced think that the CPO can and should add important value in the area of data protection.

The International Foundation for Protection Officers (IFPO) is dedicated to providing meaningful and cost effective security training for security guards and protection officers.

We believe that education is a necessary and essential part of professional security training and the security officer’s background. IFPO serves individuals, security companies, and organizations that have their own private security staff. Our students and members benefit from the recognition and standing that the prestigious IFPO certification conveys.

The International Foundation for Protection Officers provides professional learning opportunities for security practitioners, to impart the knowledge, skills, and competencies required to maximize job performance and enhance career potential.

Purpose: to make a positive difference in the quality of the participant’s job performance and elevate the professional status of students who partake of our learning opportunities.

Business: to supply committed security practitioners with a quality education to help achieve their highest potential and provide recognized accreditation for successful completion of educational goals.

Values: commitment, integrity, responsibility, and standards of excellence, provide the platform that supports our journey as we pursue our mission.

Vision Statement

Commitment to Excellence: To be the recognized center of excellence and primary provider of education and training products and services to the security industry.

Mission Statement Part II.

“The International Foundation for Protection Officers is committed to the support and professional development of protection officers and supervisors. Through advocacy, promoting training standards, and providing accessible training, education and certification opportunities, we seek to enhance their professional standing as well as increase and diversify the value of the vital services they provide.”